AWS Cloud Forensics & Incident Response

Transcript

1. AWS Cloud Forensics & Incident Response TUSHAR VERMA

2. whoami 2 DevSecOps Engineer at Shaadi.com Synack Red Team Member

3. Incident Response in Cloud 3

4. Aspects of AWS incident response Preparation Operations Post-incident activity

5. 9/3/20XX Presentation Title 5

6. Design Goals of Cloud Response Establish response objectives 01 Respond

   using the cloud 02 Know what you have and what you need 03 Use redeployment mechanisms 04 Automate where possible 05 Choose scalable solutions 06 Learn and improve your process 07

7. Cloud security incident domains SERVICE DOMAIN INFRASTRUCTURE DOMAIN APPLICATION DOMAIN

8. AWS SERVICES FOR INCIDENT RESPONSE

9. Aws cloudtrail Log/Identify all API actions performed within an account

   • Who performed it(Principal type, Source IP/Service, User Agent) • When it occurred(Date/Time) • Where it occurred(Region) • What occurred(API action performed) • Which resource(s) were affected(with configuration/parameter info) • Result(s) of action(success/error with associated result info

10. Amazon CLoudwatch Log target/ aggregation point for monitoring/querying/alerting on various

    logs: • Instance(System) Performance Metrics • OS/Application Logs • AWS Service Logs(Cloudtrail, GuardDuty, Security Hub • VPC flow logs

11. AWS Config • Logs resource configurations(changes) over time • Can

    also record instance OS/Software Configuration changes and updates • Leverage these logs to discover, map, track(and alert on) AWS resource relationships and changes in your account

12. VPC Flow Logs Netflow(ish) type network flow logs Collects and

    delivers network flow log record in aggression intervals

13. Other aws services for IR Amazon GuardDuty Amazon Security Hub

    Amazon Detective

14. Aws Incident response lifecycle

15. Preparation PEOPLE -Train security operations staff on AWS Process -Develop

    an incident response plan & strategy -Run drills & automate simulations where possible Technology -Build AWS accounts for security operations and log archive -Create read only and break glass roles for access to AWS accounts

16. Detection & Analysis DETECTION -Setup CloudTrail organisation trail -Enable amazon

    GuardDuty and aws security hub with security operations account as delegated admin -Monitor the GuardDuty & Security Hub findings ANALYSIS -Query CloudTrail logs with aws athena(or with your SIEM) -Leverage aws detective for investigations and triaging findings

17. Containment, Eradication & recovery CONTAINMENT -Disable/rotate IAM credentials -EC2 isolation

    through security groups and NACLs -System backup through snapshots Eradication -Leverage AWS Systems Manager to patch systems and run commands Recovery -Provision new infrastructure or modify NACLs/SGs back to original state Note: These are just an example

18. Post incident DOCUMENTATION -Complete answers to who, what, where, why,

    and How LESSONS LEARNED -Review IR processes and effectiveness with stakeholder

19. AWS CLOUD forensics

20. What is Cloud Forensics • Cloud Forensics can be defined

    as the application of computer forensics principles and procedures in a cloud computing environment.

21. Cloud Forensic Process Flow IDENTIFICATION EVIDENCE COLLECTION EXAMINATION & ANALYSIS

    PRESERVATION PRESENTATION & REPORTING

22. Significant Log Sources Cloudtrail Cloudtrail Insights Cloudwatch Logs GuardDuty VPC

    Flow Logs S3 Server Access Route53 Load Balancer Logs

23. Isolation…… Create a separate forensic VPC for compromised resources. This

    forensic VPC should not be connected to any other VPCs. Enable a logging mechanism, such as VPC flow logs Create Quarantine and Forensic Security Groups Create specific IAM roles with read-only access to resources Create a snapshot of the EC2 instance Store all log data to a separate S3 bucket with S3 Object Lock and MFA delete Take a memory dump of the instance

24. Cloud forensics challenges • Accessibility of logs • Physical inaccessibility

    • Volatility of data • Identification of evidence at client side • Dependence of CSP trust

25. Get in touch at Twitter: @e11i0t_4lders0n LinkedIn: /in/tushars25 Instagram: @e11i0t_4lders0n__

    Email: [email protected]

26. Thank you